- Certik has admitted to making “errors in judgment” regarding a vulnerability in the Kraken platform
- The firm has acknowledged its poor communication with Kraken, which led to a public dispute and community concerns
- Certik came off second best after the dispute played out on social media
Blockchain security firm Certik has admitted to making “errors in judgment” with regard to a vulnerability with crypto exchange Kraken that led to a public fallout. The firm noted that it “poorly communicated with Kraken, resulting in a public dispute that raised significant concerns within the community,” which some would argue is an understatement of the matter. Certik came off second best after a social media battle in June after a security researcher withdrew $3 million from the exchange and failed to return it, an action which Kraken Chief Security Officer Nick Percoco called “extortion.”
$3 Million Withdrawn
Kraken received a bug bounty alert from Certik in early June, but the researchers did not follow standard white-hat hacking protocols. Initially, the bug was demonstrated with a small crypto transfer, but the researchers allegedly shared the bug with others, leading to a $3 million withdrawal from Kraken’s platform.
Kraken’s bug bounty program offers up to $1.5 million for critical issues, but Certik treated the situation as a criminal case, refusing to return funds until Kraken provided damage estimates. Certik claimed that Kraken threatened its employees and demanded a mismatched repayment amount, which led to an escalation of the situation, with the crypto community criticizing Certik’s handling of the bug report.
Certik Says it Has Learned Its Lesson
Certik returned the funds after 48 hours of public backlash, maintaining that its priority had been fixing the issue, not requesting a bounty, and stated that Kraken had been the first to mention the possibility of payment.
In a statement published over the weekend, Certik admitted it was at fault:
We notified the exchange to ensure this important vulnerability was fixed—which was a win for blockchain and Web3 security. However, in conducting this work, we made errors in judgment and poorly communicated with Kraken, resulting in a public dispute that raised significant concerns within the community.
The company acknowledged that it had not handled the issue in the right way, saying that it regrets the incident and “has taken necessary steps to minimize the risk of similar misunderstandings occurring again.”
Kraken has not publicly responded to the admission.